best way to save passwords in SQL server?

Jassim,

Honestly, don't. Saving passwords is a bad, bad idea. You are better
off creating a challenge/response mechanism.

However, if you have to save passwords, then encrypt the column, and
make sure that you secure the encryption key well. Here is some information
on how to encrypt a column of data:

http://msdn2.microsoft.com/en-us/library/ms179331.aspx
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"Jassim Rahma" <jr****@hotmail.comwrote in message
news:5D**********************************@microsof t.com...

>I want to know what's the best way to save passwords in SQL server using
C#?

I want to know what's the best way to save passwords in SQL server using C#?

Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5

Iapain wrote:

>I want to know what's the best way to save passwords in SQL server using C#?

Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5

Note that hashing algorithms are by nature one-way, meaning there isn't
a way to "unhash" something into a password again if you need to
retrieve it. Storing hashes is generally better, but it will mean that
should you ever actually need/want to see the password, you will be
unable to do so (easily, see below).

It used to be that hashes were viewed as offering more security in the
event of a system compromise but that's not necessarily true anymore
with the advent of Rainbow Tables and cheap disk space.

Chris.

Well, if you use a salt value then any attack using rainbow tables is
easily avoided.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"Chris Shepherd" <ch**@nospam.chsh.cawrote in message
news:OO**************@TK2MSFTNGP04.phx.gbl...

Iapain wrote:

>>I want to know what's the best way to save passwords in SQL server using
C#?

Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5

Note that hashing algorithms are by nature one-way, meaning there isn't a
way to "unhash" something into a password again if you need to retrieve
it. Storing hashes is generally better, but it will mean that should you
ever actually need/want to see the password, you will be unable to do so
(easily, see below).

It used to be that hashes were viewed as offering more security in the
event of a system compromise but that's not necessarily true anymore with
the advent of Rainbow Tables and cheap disk space.

Chris.

Nicholas Paldino [.NET/C# MVP] wrote:

Well, if you use a salt value then any attack using rainbow tables is
easily avoided.

Assuming they didn't already know the algorithm used. Salts do help, but
they don't invalidate rainbow tables -- just those using a different
algorithm to generate hash entries. Any way you slice it a total system
compromise is bad.

Chris.

thsn how can read it?

can you show an example on how to create the passowrd and read it back using
a login textbox?

"Chris Shepherd" <ch**@nospam.chsh.cawrote in message
news:OO**************@TK2MSFTNGP04.phx.gbl...

Iapain wrote:

>>I want to know what's the best way to save passwords in SQL server using
C#?

Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5

Note that hashing algorithms are by nature one-way, meaning there isn't a
way to "unhash" something into a password again if you need to retrieve
it. Storing hashes is generally better, but it will mean that should you
ever actually need/want to see the password, you will be unable to do so
(easily, see below).

It used to be that hashes were viewed as offering more security in the
event of a system compromise but that's not necessarily true anymore with
the advent of Rainbow Tables and cheap disk space.

Chris.

Jassim Rahma wrote:

>
thsn how can read it?

can you show an example on how to create the passowrd and read it back
using a login textbox?

Nicholas already provided a response on this earlier when he told you
that it was a bad idea to save passwords, but if you absolutely must,
use an encrypted column of data. There's a link in that post that
explains it fairly well.

Chris.

Jassim Rahma wrote:

>
"Chris Shepherd" <ch**@nospam.chsh.cawrote in message
news:OO**************@TK2MSFTNGP04.phx.gbl...

>Iapain wrote:

>>>I want to know what's the best way to save passwords in SQL server
using C#?

Use System.Security.Cryptography and convert password into hashes use
SHA1/MD5

Note that hashing algorithms are by nature one-way, meaning there
isn't a way to "unhash" something into a password again if you need to
retrieve it. Storing hashes is generally better, but it will mean that
should you ever actually need/want to see the password, you will be
unable to do so (easily, see below).

It used to be that hashes were viewed as offering more security in the
event of a system compromise but that's not necessarily true anymore
with the advent of Rainbow Tables and cheap disk space.

Chris.

>
thsn how can read it?

can you show an example on how to create the passowrd and read it back
using a login textbox?

You would generate a hash of the password they entered in the textbox
and compare it to your stored hash, if they are equal then its the same
password.
Taking care to go through the same salting routine if used.

JB